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Brief Recap of OpenDLP 



OpenDLP is a data discovery tool for 
filesystems and databases 

Free and open source (GPLv3) 

It has support for agent scanning (Windows) 
or agentless scanning (Windows/UNIX/DBs) 

Uses profiles to scan systems/DBs: 

° Administrative credentials 
° Whitelist/blacklist files/directories 
Regular expressions to use when searching for data 
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Brief Recap of OpenDLP 



► Today will concentrate on agent scanning 

► Old method: 

° User configures profile and enters list of IPs to scan 

° OpenDLP webapp pushes agent to Windows boxes 
over SMB 

° Agent starts as a Windows service at low priority 
° Agent scans directories/files based on profile 
° Agent phones home every X seconds with results 
° When agent is done, webapp uninstalls it 
Can view results, mark false positives, export XML 

► Live demo of agent scanning 
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Current Limitations of OpenDLP 



► In order to deploy to multiple systems with a 
single profile, you must have domain admin 
credentials or the hash 

► If you don't have domain admin credentials, 
you need to create a profile for each system 
with different passwords or hashes (must be 
a system account due to service interactions) 




Goals of the Project 



Need to have the ability to search 
compromised machines for Pll with or without 
having credentials 

The tool must have minimal impact on the 
users of the machines compromised 

The tool must cleanup deployed files after it 
has finished searching 

The tool must minimize the risks associated 
with leaking the data 

The tool must use freely available software 
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The tools were in a bag... 

What better tools to use than we ones we've 
been using already 

OpenDLP for scanning and viewing the results 
Metasploit for compromising the systems 
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So OpenDLP is almost the 

solution.. . 

Since we are performing a Pentest and using 
Metasploit to gain access to machines, can we 
leverage Metasploit to deploy OpenDLP? 

° Not as OpenDLP exists, we must have credentials or 
hashes 

° Even with hashdump, we cannot guarantee that we 
get a domain admin account 

° While we can use system accounts, it is too 
cumbersome to create a profile per machine 



Post-Exploitation Nirvana:Launching OpenDLP Agents over Meterpreter Sessions 



No credentials, no problem 



Rather than using Metasploit to get the 
credentials (and copying them manually into 
a profile) why not simply use Metasploit for 
deployment? 

Metasploit meterpreter sessions provide the 
ability to: 

° Upload /down load files 
° Execute programs on the target 
Manage Services 

Metasploit RPC provides a mechanism to 
drive from remote 
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Why Metasploit? 



Openly available Exploit Framework that 
many Pentesters use, including us 

Has an RPC interface that allows another tool 
to list compromised systems and interact 
with them 

Many routines that allow you to deploy 
services, elevate privileges, download/upload 
files, and execute applications on the target 
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OpenDLP Metasploit Bridge 

The OpenDLP Metasploit Bridge gives 
OpenDLP the ability to use Metasploit 
sessions to deploy the agent scanner 

Allows the user to create a single profile for 
windows Metasploit sessions regardless of 
the credentials necessary for the machines 

All features of the current OpenDLP 
deployment are available via Metasploit 
Sessions 
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OpenDLP System Layout 



Metasploit RPC Server 




opendlp 
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reakout of the Metasploit Bridge 



Modifications to the OpenDLP web pages to 
include Metasploit Integration 

Creation of a Metasploiter perl module to 
handle interacting with Metasploit RPC to 
include console interaction 

Metasploit Post Module that handles 
deployment of the OpenDLP agent, including 
uploading files, service management, 
configuration passing, and downloading files. 
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MetaSploiter Background 

Since OpenDLP is written in perl, I needed a perl 
module to communicate with Metasploit 

Stand-alone perl module to interact with 
meterpreter sessions from any perl program 

Parses RPC responses so you don't have to 
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MetaSploiter: Highlights 



Login and acquire persistent credentials 
Get Metasploit version 

Get list of sessions (and details about each session) 

Interact with sessions via meterpreter read and 
writes (Synchronous writes too) 

Upload/download files between Metasploit and 
target session 

Create and change remote path (on target system) 

Change local (to Metasploit) path 

Remotely execute apps on the target (opens a 
channel and wait for the results) 

Check if connected to Armitage console 
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MetaSploiter: Sample Usage 

Logon to Metasploit and acquire persistent auth 
token 



use Strict; 

use MetaSploiter; 

my $ret_code = 0; 

my $metaSploiter = MetaSploiter->new ( ) ; 

if ($ret_code = $metaSploiter->MetaLogin ( "192 . 168 . 1 . 100", # host 

55552, # port 

"msf", # user 

"fOObar", # password 

1) ) # 0=plaintext 1=SSL 

{ 

die ( $metaSploiter->GetLastError ( ) ) ; 

} 

"Logged in (Temporary token: " . $metaSploiter->GetAuthToken ( ) . ").\n"; 
if ($ret_code = $metaSploiter->AcquirePer sistentToken ( ) ) { 
die ( $metaSploiter->GetLastError ( ) ) ; 

} 

"Acquired persistent token: ". $metaSploiter->GetAuthToken ( ) . ".\n"; 
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MetaSploiter: Sample Usage 

► Retrieve the session list 



if ($ret_code = $metaSploiter->List Sessions () ) { 
die ( $metaSploiter->GetLastError ( ) ) ; 

} 

my QsessionList = $metaSploiter->GetSessionList ( ) ; 

my $countTo = scalar QsessionList); 

print "Current active sessions: $countTo\n"; 

if ($countTo > ) { 

print "Displaying sessions. . . \n"; 

for (my $i = 0; $i < $countTo; $i++) { 

print " Session " . $sessionList [ $i ] ->sessionName .": "; 

$sessionList [$i] ->target_host . " - " . $sessionList [ $i ] ->inf o . "\n"; 

} 

} 
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MetaSploiter: Sample Usage 



Print the Metasploit version 
° Change the remote path in a session and print it 
° Release the persistent token to finish 



print "Current Metasploit Version: " . $metaSploiter->GetMetasploitVer sion ( ) . "\n"; 

my $sessionId = 5; #Assuming for this demo that session 5 exists. 

($ret_code = $metaSploiter->ChangeRemotePath ( $sessionId, "c: /program files") ) { 
die ( $metaSploiter->GetLastError ( ) ) ; 

} 

if ($ret_code = $metaSploiter->SendAndWait ( $sessionId, "pwd")) { 
die ( $metaSploiter->GetLastError ( ) ) ; 

} 

"Current path on session $sessionId: " . $metaSploiter->GetCommandResponse ( ) ; 

if ($ret_code = $metaSploiter->ReleasePer sistentToken ( ) ) { 
die ( $metaSploiter->GetLastError ( ) ) ; 

} 

print "Released persistent token. \n"; 
print "Done . \n\n" ; 
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MetaSploiter: Sample Usage 

Output from this small application looks like this: 



Logged in (Temporary token: TEMPOTr5B1 HpCzCJpTflgYAH2uQBROoT). 
Acquired persistent token: SjyBUZYLxvDRRfoyp3DdDsomEwWdMJaC. 
Current active sessions: 3 
Displaying sessions... 

Session 6: 192.168.1 .109 - NT AUTHORITYVSYSTEM @ GAETA 
Session 5: 192.168.1 .102 - NT AUTHORITYVSYSTEM @ ADAM A 
Session 3: 192.168.1 .105 - NT AUTHORITYVSYSTEM @ DUALLA 

Current Metasploit Version: 4.3.0-dev 

Current path on session 5: cAprogram files 

Released persistent token. 

Done. 



Note: The above demo code above showcases just a subset of the 
functionality available inside the MetaSploiter package. 
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MetaSploiter Weaknesses 



Uses the Meterpreter RPC commands 

° Access to Meterpreter sessions is not synchronized 

° Unable to match a response to a particular command, or to 
a particular user 

• one user sends a "pwd" and another attempts to cat a file at the 
same time, whoever reads first will get the data, and it will likely 
not be the expected response 

° Therefore, more than one application cannot access the 6 
same meterpreter session at the same time. This means 
applications using the MetaSploiter module, or even using 
meterpreter from a Metasploit console. 

° Files must be downloaded to the Metasploit box and 
retrieved manually (no direct download through RPC) 



C.E.S.l 



Post-Exploitation Nirvana:Launching OpenDLP Agents over Meterpreter Sessions 



Slide 20 



Is this correct? You will have a difficult audience. Make sure that the console has issues also. 

Michael, 5/1/2012 

C.E.S.l Reworded that paragraph to be less confusing 

Charles Smith, 5/22/2012 



How Armitage Influenced our direction 



► Previous weaknesses mean that MetaSploiter and 
Armitage do not play nicely 

► Armitage's mutiplexing of commands and sharing 
sessions does not work for non-Armitage clients 

Armitage command responses may be unintentionally 
intercepted by MetaSploiter, and MetaSploiter commands 
will cause Armitage to miss (or misinterpret) expected 
responses 
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2 Make sure this statement is correct. I believe it is correct, but did you actually experience this? 

Michael, 5/1/2012 

C.E.S.2 Yes, I tested this. If I'm running armitage and I connect to meterpreter and start sending commands, armitage will get confused. If I create a simpl 
app that constantly reads from meterpreter and does nothing but consume, then armitage will timeout or not display complete results because 
they've been consumed by someone else. I have not however tried this in team server mode, though. 

Charles Smith, 5/22/2012 



Check for Armitage 



MetaSploiter includes a CheckForArmitage method to 
determine if Armitage is connected to the RPC server 

° If it is connected to an Armitage server, you can still use 
MetaSploiter, but you must ensure no-one else uses Armitage 
while your application is running 



print "Checking for Armitage... "; 

my $arm = $metaSploiter->CheckForArmitage ( ) ; 

if ($arm == ) { die ( $metaSploiter->GetLastError ( ) ) ; } 

if ($arm == )) { print "Not using Armitage . \n" ; } 

if ($arm == ) { 

print "WARNING: ARMITAGE DETECTED . \n" ; 

" Armitage and other clients cannot be used on the same \n"; 

print " session at the same time. \n"; 

print " When using MetaSploiter, do not interact with \n"; 

" the session through Armitage, or the client may fail.\n"; 

} 
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OpenDLP Post Module 

Developed in order to overcome the issues 
with interacting with meterpreter sessions 
using MetaSploiter and the RPC 

° Metasploit post module to be installed on the 
Metasploit system, in windows/gather/opendlp 

° MetaPostModule perl module installed with 
OpenDLP web application 

• Overrides MetaSploiter, but has additional functionality 
specific to calling our post module 
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Post Modules executed over 

RPC directly 

Our first pass was to create a Post Module 
and execute via the "module. execute" RPC 
command 

Worked great, but no way to view status messages 

° Considered modifying Metasploit to provide a 
mechanism to get the output via a new RPC 
command, but it was not clean 

° Decided to move to a new console and execute the 
post module from there over RPC 

• By using the console, we were able to download files 
from the target directly to the OpenDLP System 
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OpenDLP Post Module Actions 



► The OpenDLP post module may execute six different 
actions, detailed below: 

• DEPLOY - 

• Creates a directory on the target system. 

• Uploads the OpenDLP files. 

• Executes the self-extracting archive. 

• Writes the configuration file. 

• Installs the OpenDLP service. 

• Starts the OpenDLP service. 

• START - Starts the OpenDLP service on the target system. 

• STOP - Stops the OpenDLP service on the target system. 

• DELETE - Uninstalls the OpenDLP service from the target 
system. 

• REMOVE - Removes the installation files and directory from the 
target system 

• READFILE - Reads a file on the target system and prints it to the 
console 
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OpenDLP Post Module 



MetaPostModule creates a new console and 
executes the post module action in the console 

There are no visible interactions with the meterpreter 
session 

To deploy, set the following properties: 

° ModuleName - should be to "windows/gather/opendlp" 

° ConfigString - Base64-encoded string of the OpenDLP 
configuration created by OpenDLP in start-verify.html 

° SourcePath -Path to the OpenDLP files to upload from 
the Metasploit box 

° RemotePath - The installation directory on the target 

° Sessionld - The session to which you are deploying 
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OpenDLP Post Module: 
Deployment 

Ensure module exists on Metasploit by calling 
CheckForModuleO 

Deploy via the DeployOpenDLPQ 



my $metaPostModule = MetaPostModule->new ( ) ; 

$metaPostModule->MetaLogin ( "192 . 168 . 1 . 109", 55552, "msf ", "f OObar", ) ; 
$metaPostModule->SetModuleName ( "windows/ gather/ opendlp" ) ; 
if ($ret_code = $metaPostModule->CheckForModule ( ) ) { 

"Module \ "windows/gather /opendlp\ " is not installed on the Metasploit host."; 

} 

$conf igString = encode_base6 4 ( "OpenDLP-generated configuration string") ; 
$metaPostModule->SetSourcePath ( "c : /metasploit /OpenDLP_f iles " ) ; 
$metaPostModule->SetRemotePath ( "c : /program f iles/opendlp" ) ; 
$metaPostModule->SetConf igString ( $conf igString) ; 
$metaPostModule->SetSessionId ( ) ; 
$ret_code = $metaPostModule->DeployOpenDLP ( ) ; 

LogMe ( $metaPostModule->GetCommandResponse ( ) ) ; #log the full results 
if ($ret_code) { 

"Failed to deploy OpenDLP: " . $metaPostModule->GetLastError ( ) ; 

} else { 

print "Successfully deployed OpenDLP. \n"; 

} 
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OpenDLP Post Module 
File Download 



► Files containing Pll can now be retrieved directly 

° It is no longer necessary to save them on the Metasploit 
box as it is with the MetaSploiter module 

► To get the contents of a remote file: 



my 


$ret_code = 


$postMod->ReadFile ( "c : Whel 


.loworld . txt " ) ; 


if 


( $ret_code ) 


{ "Error: " . $postMod- 


->GetLastError ( ) ; } 


pr i 


_nt $postMod- 


->GetFileData ( ) ; 






User Interface walk-through 



► To add support for the Metasploit bridge to 
OpenDLP, many of the web pages needed to 
be changed or updated, and several new 
pages were added as well. 

The following slides give a brief overview of the 
files that were changed, why they were 
changed, and screen shots to show the 
changes. 




Web Page Mods: Profiles 



profiles.html 

° Added the following fields necessary to login to 
Metasploit and use the RPC bridge: 

• Metasploit Host and Port -Metasploit RPC server 

• Metasploit User and Password - RPC Login credentials 

• Path to OpenDLP files - Location on Metasploit box 
where the OpenDLP installation files are located 

• Metasploit Latency - Time in milliseconds spent 
between polling meterpreter for more results 

• Metasploit Timeout - Time in seconds to wait for a 
response, before giving up 
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Create a new scan profile 



Profile Name ® 



Scan Type ® 



Mask Sensitive Data?® 



Usemame ® 



Password 



Metasploit Host ® 

IP of running Metasploit console. 



Metasploit Port ® 

Port of running Metasploit console. 



Metasploit User® 
xrmlrpc usemame. 



Metasploit Password ® 
xmlrpc password. 



Path to OpenDLP files ® 
Location on Metasploit system 



Metasploit Latency (ms)® 
Leave alone unless CPU usage high 



Metasploit Timeout (s)® 

Time to wait for response before giving 

up 



Installation Path ® 
(Must be new directory} 



Memory Limit ® 

(as percent of target system's total RAM) 



metal 



Metasploit (agent) - Meterpreter deployment 



1 92.1 &S.1. 109 



E]Use SSL? 



55552 



msf 



C:\OpenDLP\bin 



100 



3C 



c:\Program Files\OpenDLP 



10% - 



. Scan all directories 

. Scan all directories except these (recursive) 
9 Only scan the following directories (recursive) 
c: \nLoo 



'• i 

4* f .Jt) □ 192.163 .1 .106 http 5 : //19Z168 .1 .106/0 p en D LP/p rof i I es. htm I Ted it= p o stm □ d_sh □ rt 



ft 



Metasploit Framework... [_.] OpenDLP 0.4.2 [_.] http://10.175. 53 .15:800... Q Vincent Cheung: Encry... Firefox Addons for Pen... [__] Arrnitage - Cyber Atta... 
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OpenDLP 0.4.5 
Ma 




Create a new scan profile 



Profile Name @ 



Scan Type © 



Mask Sensitive Data?® 



Username © 



Password 



Metasploit Host ® 

IP of running Metasploit console. 



Metasploit Port © 

Port of running Metasploit console. 



Metasploit User® 
xmlrpc username. 



Metasploit Password ® 
xmlrpc password. 



Path to OpenDLP files © 
Location on Metasploit system 



Metasploit Latency (ms)® 
Leave alone unless CPU usage high 



Metasploit Timeout (s)® 

Time to wait for response before giving 

up 



Installation Path ® 
(Must be new directory} 



Memory Limit ® 

[as percent of target system's total RAM) 



meta2 



Metasploit (agent) - Post Module deployment [for Arrnitage compatibility) ▼ 



192.168.1.109 



SUse SSL? 



55552 



rnsf 



C:\OpenDLP\bin 



100 



30 



c:\Program Files\OpenDLP 



10% - 



. Scan all directories 
Scan all directories except these (recursive) 
Only scan the following directories (recursive) 

c: \ir.oo 



Web Page Mods: Starting a Scan 



► startscan.html 

° A Windows Agent Scan requires manual additions of 
the IP addresses to deploy to in your profile 

° Deployment via Metasploit uses sessions that can 
change as new boxes are popped, or if Metasploit is 
stopped and reloaded 

• Created a new page that lists the existing sessions and 
allows you to choose which sessions to deploy to 
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Start New Scan 



View Scans/Results 



Export Scan Results 
Delete Scan Results 




Start a New Scan 



Scan name 


scanl 




Profile 


ml [meta_agent) ▼ 


(or create a new profile! 


Notes 


Retrieve a list of sessions currently exploited by the Metasploit server (from 
the selected profile). Once you press "Get Sessions" below, you may pick 
and choose which sessions/systems you wish to deploy to. 




GetSessions 





Fire fox T 
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Start New Scan 



View Scans/Results 



Export Scan Results 
Delete Scan Results 




Start a New Metasploit Agent Scan 

Scan Name: scanl 

Profile: ml 

Scan Type: met a_a gent 

The following table contains a list of all exploit sessions on the Metasploit system. Note that for a 
successful OpenDLP deployment, the selected session must have a "Meterpreter" exploit type, and the 
session must be to a Windows (x8G/Win32) platform. 

Select the sessions to deploy to in the list below, and then click "Start Scan" to begin 



m 


Session Id 


IP Address:Port 


System Info 


Platform 


Exploit Type 


m 


6 


192.163.1.109:57047 


NT AUTH ORITY\S YSTE M @ DEV-HP-E14-3 


x86/win32 


meterpreter 


m 


5 


192.168.1.102:50626 


NT AUTH O RITY\S YSTE M @ ADAMA 


x86/win32 


meterpreter 



Start Scan 



Web Page Mods: Start Scan 



start-verify.html 

° Appears the same as before, but behind the scenes 
this is where all the code for deployment over the 
Metasploit bridge takes place 

° Metasploit configuration parameters are loaded 
from the database (Metasploit RPC host, port, login, 
password, etc) 

Deploys either to a Meterpreter-based bridge or a 
post-module-based bridge depending on the scan 
type 

° Detailed deployment info is output 
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Start New Scan 



View Scans/Results 



Export Scan Results 
Delete Scan Results 




Deploying a Metasploit Agent Filesystem Scan 



Do not close or leave this window until all scanners are deployed! 



General scan information 



Scan name: scanl 
Profile: ml 

Scan type: meta_agent 
Sessions: 6 5 
Concurrent: 4 



Logging msf onto 192.168.1.109:55553. 

Retrieving List of exploited sessions: 2 sessions found 



Session 5 (192.163.1.102): 
Session 6 (192. 163. 1.109): 
Session 6 (192.163. 1.109): 
Session 5 (192.163. 1.102): 
Session 6 (192. 163. 1.109): 



Trying to deploy (0 systems remain in queue; 
Trying to deploy (1 systems remain in queue; 
Attempting to start OpenDLP Service. 
Attempting to start OpenDLP Service 
OpenDLP deployed and started 



Deployment information for meterpreter session 6 (192.168.1.109): 



>>> Re-Connecting to Metasploit and logging on msf. 
>>> Got system. 

»> Creating "c:\Program Files\OpenDLP" 

»> Setting local path to "C:\0penDLP\bin" 

>>> Copied StrFile.exe file 

>>> Copied sc.exe file 

>>> Generated config ini file 

>>> Copied OpenDLPz.exe file 

>>> Copied client. pern file 

>>> Copied server.pem file 

>>> Uploading removal script. 

>>> Extract OpenDLPz.exe 

>>> OpenDLPz extraction successful 

>>> Creating OpenDLP sen/ice 



Web Page Mods: View Results 



► viewresults.html 

° Unlike IP addresses, Meterpreter session ids can 
and do change 

° Verifies that the session used for the results is still 
active and the IP address matches the address 
saved in the database 

• If the session is different, an error message pops up, 
and you can follow the instructions to re-associate the 
scan result with a currently active session 

° The database is updated and you can view the 
results 
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tart New Scan 



View Scans/Results 



Export Scan Results 



Delete Scan Results 




View Results 

Results for session 2 (192.163.1.102 - ADAMA ): 



It appears that session 2 has died. You will be unable to download files. 
Press the button below to review the current Metasploit session list and 
update the session id for this system. 



Update Session Id 



Profile 


ml 


Status 


finished 


Step 


3: Done 


Files Done 


3 


Files Total 


N/A 


Bytes Done 


1,103,694 


Bytes Total 


N/A 


Progress 




Percentage 


100% 


Completion Time 




Total Findings 


8 


False Positives 





Valid Findings 


8 


Updated 


79:34:40 ago 


Pause 


N/A 


Resume 


N/A 


Stop and Uninstall 


N/A 
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tart New Scan 



View Scans/Results 



Export Scan Results 



Delete Scan Results 




Update Session Id 

It appears session 2 has died. 

OpenDLP has found the following sessions as potential matches to the machine that was originally exploited in this session 
Choose a session below to update the database entry for this scan. If no entries are shown, the desired target is not 
currently exploited in Metasploit. 





Session Id 


IP Address:Port 


System Info 


Platform 


Exploit Type 




5 


192.168.1.102 


NT AUTH Q RITAS YSTEM @ ADAMA 


x86/win32 


meterpreter 



Update database with new Session Id 



L.j OpenDLP 0.4,5 



MGmail - Inbox (399) 



^ 192.168 .1 .106 http e ://192.16S .1 .106/0 p en D LP/u p d ates es : i c n i cl . htm I 



ft 



z - M eta splo it Framework... [_.] OpenDLP 0.4.2 ■ ■ http://10.175. 53 .15:800... Q Vincent Cheung: Encry... Firefox Addons for Pen... Armitage - Cyber Atta... 

^ Disable' A Cookies' / CSS' Forms' |Q| Images* 4tf Information' i_j Miscellaneous' > % Outline' Resize' ^ Tool:' o View Source' JL Options* 



OpenDLP 0.4.5 
Ma 




tart New Scan 



View Scans/Results 



Export Scan Results 



Delete Scan Results 




Session Id Updated 

Updated session id from 2 to 5. 

Press continue to return to scan results 



Continue 



Web Page Mods: Downloads 



download_file.html 

MetaSploiter downloads files to the Metasploit box 
instead of the user 

• The path used is the "Path to Metasploit files" saved in 
the profile, plus the profile name, session, and IP 
address 

The OpenDLP Post module implementation does not 
have this restriction. 
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tart New Scan 



View Scans/Results 



Export Scan Results 



Delete Scan Results 




Notice: 

Files located on a remote system connected to Metasploit can only be downloaded from the rei 
Metasploit server. There is no RPC method for transferring those files from Metasploit back to tP 
Therefore, files will be saved on the Metasploit server, in the local path "Ci/OpenDLP/bin/ml/ses 

»> Logging user msf onto Metasploit Server. 

>>> Changing local path to Metasploit path (from profile). 

>>> Downloading file... 

File c:/moo/bigChalupa.txt' on Session 5 [192.168.1.102) transferred to T C:/OpenDLP/bin/m 
/session_5-[192.1 68.1 .1 02]' on metasploit system. 



Back 



Web Page Mods: Delete Scan 



deletescan.html 

° Modified to make deleting scans more convenient 

° Multiple scans can be deleted at the same time, 
using checkboxes instead of radio buttons. 

° Incomplete scans may be deleted (this is useful if 
you have failed deployments or if you stopped and 
uninstalled a deployment before it was finished) 
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Start New Scan 



View Scans/Results 



Export Scan Results 
Delete Scan Results 




Delete Scans 

By default, only scans whose agents have all finished or have been manually stopped and uninstalled are shown below, and scans curren 
□ display incomplete scans 



Delete 


Scan name 


Scan type 


Finished 


Uninstalled 


Total 


O 


arm 10 


arm_agent 


2 





2 


B 


arm4 


arm_agent 


1 





1 




arm5 


arm_agent 


2 





2 




arm6 


arm_agent 


2 





2 


B 


metascan 


meta_agent 


2 





2 




sc6 


meta_agent 


2 





2 


m 


sc8 


arm_agent 


2 





2 


m 


scanl 


meta_agent 


2 





2 


Delete Scans 





Fire fox T 
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Start New Scan 



View Scans/Results 



Export Scan Results 
Delete Scan Results 




Delete Scans 

By default, only scans whose agents have all finished or have been manually stopped and uninstalled are shown below, and scans currei 
Display incomplete scans 



Delete 


Scan name 


Scan type 


Finished 


Uninstalled 


Total 




3rsd 


arm_agent 













arm 10 


arm_agent 


2 





2 




arm4 


arm_agent 


1 





1 


1 1 


arm5 


arm_agent 


2 





2 


B 


arm6 


arm_agent 


2 





2 


m 


armjongl 


arm_agent 











□ 


asdx 


arm_agent 











□ 


metascan 


meta_agent 


2 





2 


□ 


sc6 


meta_agent 


2 





2 


m 


sc3 


arm_agent 


2 





2 


m 


scanl 


meta_agent 


2 





2 


Delete Scans 





Web Page Mods: Sidebar 



Metasploit->Manage Agents" 

Allows you to start, stop, and uninstall agents 
outside of the normal OpenDLP workflow 

If you start a scan but specified incorrect 
credentials for the OpenDLP server in your profile, 
you can manually stop the scan 

stop and uninstall all running OpenDLP clients in a 
single step 

If an error occurs when removing the service or 
installation directory you can go back later and try 
again manually 
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Manage Agents 



OpenDLP Homepage 



Manage OpenDLP agents through Metasploit 

Using profile: ml 

The following table contains a list of all exploit sessions on the Metasploit system. These may or may not 
have active OpenDLP clients. You may attempt to force pause resume, or uninstallation of an agent 
from any of these sessions. If the OpenDLP agent was not running on the system targeted by a selected session 
the results will indicate such. 





Session Id 


IP Address:Port 


System Info 


Platform 


Exploit Type 


m 


6 


192.168.1.109:57047 


NT AUTH O RITY\S YSTE M @ DEV-HP-E14-3 


x86/win32 


meterpreter 


m 


5 


192.163.1.102:50626 


NT AUTH O RITY\S YSTE M @ ADAMA 


x86/win32 


meterpreter 



Pause Agents Resume Agents Uninstall Agents 



Fire fox T 



:.J OpenDLP 0.4.5 



H L '.} 19Z.16S .1 .106 http : ://192.168 .1 .106/0 p en D LP/m eta -manag e- resu It: . htm I 



ft 



M eta sp I o it Framework... [_.] OpenDLP 0.4.Z [__] http://10.175 .53 .15:800... Q Vincent Cheung: Encry... Firefox Addons for Pen... [__] Armitage - Cyber Atta... 
Disable' A Cookies' / CSS' S Forms' £3 Images*" ^Information' u Miscellaneous' ^ Outline' i Resize' ?^ Tools' c View Source"' OP Options*" 



OpenDLP 0.4.5 
Ma 




OpenDLP Homepage 



Manage OpenDLP agents through Metasploit 



Using profile: ml 
Action: uninstall 



Session Id 


IP Address:Port 


System Info 


Platform 


Exploit Type 


Result 


6 


192.163.1.109:57047 


NT AUTH O RITY\S YSTE M @ DEV-HP-E14-3 


x86/win32 


meterpreter 


OpenDLP is not installed or 


5 


192.163.1.102:50626 


NT AUTH O RITY\S YSTE M @ ADAMA 


x86/win32 


meterpreter 


OpenDLP is not installed ot 



Demo 
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Availability 

http://opendlp.gooqlecode.com 

° Source Code and Binaries 
° VirtualBox VM 
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Contact Information 



► Michael Baucom 

mike@n2netsec.com 
Twitter: @m_baucom 

► Charles Smith 

charles.smith@n2netsec.com 

► Andrew Gavin 

andrew.opendlp@qmail.com 
° Twitter: @OpenDLP 
Twitter: @andrewgavin 




